Limited Time!
Totally FREE Web Design!
Click here!

Parasite: PurityScan

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

PurityScan is adware written and distributed by ClickSpring LLC.

Its stated purpose is to find “hidden porn files” on a user’s PC, which is done by the dubious method of looking for sex-related keywords in the names of files on the hard disc. (However this functionality has never worked for me during testing, always finding nothing.)

Variants

PurityScan/Winservs: first release. Puts an advert-spawning process named winservs.exe in the User (not systemwide) Startup submenu of the Start button’s Programs menu. Controlling server clickspring.net

PurityScan/WinservN: now stored in the System32 folder (inside the Windows folder, called just ‘System’ under Windows 95/98/Me) and started with Windows through the registry Run key.

PurityScan/WRnd: as WinServN except the filename and the registry entry that runs it at startup now have semi-random names.

PurityScan/NDrv: the process in the System32 folder is renamed NDrv.exe and works with an additional Internet Explorer Browser Helper Object (BHO) named NDrv.dll.

PurityScan/NRnd: as NDrv, but the BHO has a random-nonsense filename made up of 3-8 lower-case letters, and a random class ID. The startup process’s filename will now be the same as a legitimate system .exe file from the System32 folder but with one or more letters changed to identical-looking Unicode Cyrillic characters. For example, the Cyrillic character ‘es’ is used in place of the Latin ‘c’, which looks identical; on Windows 95/98/Me or in non-Unicode applications these characters will appear as question marks (eg. ??plorer.exe) and the file may be inaccessible. Controlling server campaigns.outerinfo.com, may also open advertising direct from ValueAd (banners.valuead.com, cs.valuead.com).

PurityScan/Mendware: a process with a random name composed of four lower-case letters, stored in the Application Data folder and run at startup. Typically delivered with the WRnd and NDrv variants, it works as a backdoor to reinstall the main PurityScan software if it gets deleted or damaged. May also be used as a delayed-action loader for the main PurityScan software in some bundles. Controlling servers 66.150.193.111, fp.clickspring.net and pisces.clickspring.net.

PurityScan/M2: an updated version of MendWare that additionally makes itself a hidden system file and changes some of the lower-case letters in its filename into Unicode Cyrillic characters.

Also known as

Sear1, after its internal process name.

PurityScan/M2 is known as DrummerBoy by Bazooka (kephyr.com) anti-spyware.

Distribution

PurityScan is marketed as a direct download from purityscan.com and, under the name VirtueSCOPE from virtuescope.com, promoted by adverts at porn sites.

It is also bundled as plain adware—without the scanning component—by other programs, such as Grokster and Kazaa around early 2004, and silently loaded by ClickSpring’s own MediaTickets parasite as well as the WildMedia/Midaddle parasite.

What it does

Advertising

Yes, in the Winservs, WinservN, WRnd, NDrv and NRnd variants. Periodically opens non-targeted pop-up adverts as directed by its controlling server.

Advertising may originate from ClickSpring’s sales firms OuterInfo (outerinfo.com) and Windsor Pearl (windsorpearl.com).

For Mendware and M2, no.

Privacy violation

The M2 variant contacts its controlling server fp.clickspring.net on installation and sends the serial numbers of the hard disc, network card (MAC address), CPU and operating system onto which it is installed.

Otherwise, no.

Security issues

Yes, in the Mendware and M2 variants. Can download and execute arbitrary code as directed by the controlling server.

Stability problems

The NDrv and NRnd variants may drop a corrupted .exe file with one of the names from the WRnd variant into the System32 folder and then try to run it when they first install. On some versions of Windows this may result in ntvdm.exe using 100% of CPU, making the computer slow and causing system shutdown not to respond.

Removal

If installed directly from purityscan.com or virtuescope.com there may be a corresponding entry in the Control Panel’s Add/Remove Software list which can be used to remove the software.

Manual removal

Winservs variant

Click the Start button, open the Programs menu and the Startup menu inside it. Right-click on the ‘Winservs’ icon and choose Delete.

WinservN variant

Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. On the right-hand side, right-click the entry named ‘Content Service’ pointing at winservn.exe, and choose ‘Delete’.

Restart the computer and you should be able to delete the ‘winservn.exe’ file inside the System folder (which is inside the Windows folder, called ‘System32’ on Windows NT/2000/XP/2003).

WRnd variant

Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

One of the entries on the right-hand-side will be a four-capital-letter entry pointing to a file in the System folder with a name beginning with ‘w’. These are chosen by by sticking together bits of filename seemingly at random; known filenames are shown here with their corresponding entry names.

Remember the filename and delete the entry. Restart the computer and you should be able to delete this file from the System folder (which is inside the Windows folder, and called ‘System32’ under Windows NT/2000/XP/2003).

PurityScan/WRnd is typically delivered with the Mendware or M2 variant; check for these to stop it reinstalling.

NDrv variant

Open a Command Prompt window (from the Accessories submenu in the Programs menu on the Start button) and enter the following commands:

cd %WinDir%\System
regsvr32 /u ..\NDrv.dll"

Next, open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. On the right-hand side, right-click the ‘NDrv’ entry pointing to ‘NDrv.exe’ and choose ‘Delete’.

Restart the computer and you should be able to delete the files ‘NDrv.exe’ and ‘NDrv.dll’ from the System folder (inside the Windows folder, called ‘System32’ under Windows NT/2000/XP/2003).

PurityScan/NDrv is typically delivered with the Mendware or M2 variant; check for these to stop it reinstalling.

NRnd variant

Due to the random elements, removing PurityScan/NRnd by hand is tricky. Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

On the right, you should find an entry comprising 3-6 random letters (the first in capital, the rest lower-case) pointing to what appears to be a valid system file in the System32 folder. Note the filename and delete the entry.

Next, open the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects and look at the list of class IDs listed as subkeys. For each of these, open the subkey of the same name inside HKEY_CLASSES_ROOT\CLSID and select the InprocServer32 subkey. On the right, look for a (Default) entry pointing at a random-nonsense filename inside System32. Note the filename and delete the entire {...number...} subkey.

Restart the machine and you should be able to delete both the noted filenames from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me). Be very careful deleting the .EXE file because its name will look the same as a valid system file. The ‘bad’ file should be about 364KB long, and will be hidden (so to see it at all you will have to go to the Folder Options and turn off the ‘Do not show hidden files and folder’ and ‘Hide protected system files’ options). If you are not sure, don’t delete the file; as long as the registry entries are gone it should be harmless.

Mendware, M2 variants

Open the registry (click ‘Start’, choose ‘Run’, then enter the command ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

On the right-hand side, there should be an entry whose name is four random letters (the first one capitalised), pointing to a .exe file whose name is another four different random letters (all lower-case) in the Application Data folder. If you have the M2 variant, some of the filename’s letters may be replaced by question marks.

Right-click this entry and choose ‘Delete’.

Reboot the computer and you should be able to delete this file, and an likely-empty folder whose name is another four different random letters, from the Application Data folder.

The Application Data folder can be found inside the Windows folder under Windows 95/98/Me, inside the user’s Profile folder inside Windows under Windows NT, or in the user’s Documents and Settings folder under Windows 2000/XP/2003.

Note that Application Data is usually hidden, and the M2 variant’s EXE file is also set up to be a hidden system file. Make sure you can see everything by going to Folder Options (Tools->Options on an Explorer window), opening the View tab, turning on the ‘Show hidden files and folder‣ and turning off the ‘Hide protected operating system files’ option.

All variants

You can also delete the registry key and HKEY_LOCAL_MACHINE\Software\ClickSpring to clean up if you like. If the software was installed with the porn-scanner component you can also delete the key HKEY_CURRENT_USER\Software\PurityScan and the ‘PurityScan’ folder inside Program Files.